InfoSec Handlers Diary Blog

Researchers Juliano Rizzo and Thai Duong will present a new tool called "CRIME" at the upcoming Ekoparty 2012 conference in 5 days. Their tool takes advantage of a flaw in the SPDY (speedy) TLS compression protocol implementation. It allows an attacker to hijack an encrypted SSL session. It appears that for this attack to work both the website and the browser must support the SPDY protocol. Several widely used websites such as Google, Gmail and Twitter do support the SPDY protocol. Both the Firefox and Chrome browsers also support this protocol. Internet Explorer and Safari does not support SPDY and are not vulnerable.

It is recommended that you disable the use of the SPDY protocol on your HTTPS websites until the problem is addressed.

There is an interesting article that was just published by Microsoft's Digital Crimes Unit. Attackers have been infecting manufacturer supply chains to spread their evil warez. Some unnamed manufacturers have been selling products loaded with "counterfeit versions of Windows software embedded with harmful malware." The article goes on to say that the "Malware allows criminals to steal a person’s personal information to access and abuse their online services, including e-mail, social networking accounts and online bank accounts. Examples of this abuse include malware sending fake e-mails and social media posts to a victim’s family, friends and co-workers to scam them out of money, sell them dangerous counterfeit drugs, and infect their computers with malware." Microsoft worked with law enforcement and began filtering traffic associated with the domain 3322.org to disrupt the botnet's communications.

Greetings ISC Readers! Today I wanted to share a technique that I find quite useful when I fuzz TCP applications with scapy. Scapy is a Python module used for packet parsing and packet crafting. With scapy you can create just about any packet your heart desires, transmit it to a target, capture the response and respond again accordingly. It is an excellent tool to use for fuzzing network protocols. But it does require a bit of work when fuzzing TCP protocols because you need to track the sequence and acknowledgement numbers. There are countless examples of this on the internet, but let's look at it here briefly. To establish a three way handshake you could do the following.

Then you can transmit your crafted packet to the remote listener as long as you calculate and send the correct sequence numbers. There are a couple of downsides to this technique. First, you have to track the sequence numbers and acknowledgement numbers yourself and increment them as you transmit data. Second, because these are crafted packet, the real TCP stack on your host will send RESETS to the unexpected responses. You have to add some IPTABLES rules to block these RESETS from the real TCP stack. There is another way to do this that can help with these problems.

If you just want to shoot your packets at a TCP target, tracking sequence and acknowledgement numbers isn't necessary. Instead you can use Python sockets to establish the connection, then convert the existing socket to a scapy stream. Once it is a scapy stream you can use all of the normal scapy methods to transmit crafted packets over the established socket. Using this method you don't have to track the TCP sequence numbers and can focus on creating and transmitting your fuzzing packets.

Here is an example. We start the same way and importing scapy. Then we establish a normal Python Socket connection like this:

With one simple call to "connect()" the TCP Handshake is completed. But this is just a normal Python socket object. To use it in scapy you need to create a "StreamSocket()" object that is based on the established socket. You can create a StreamSocket object like this:

>>> mystream=StreamSocket(mysocket)

The resulting "mystream" object is a scapy object that can be used to transmit crafted packets across the existing socket. The mystream object supports the same .recv(), .send(), .sr(), .sr1() and even the sniff() methods that you have with other scapy objects. Now all you have to do is craft a packet and send it to your target.